Table of Contents

  1. Breaches
    1. Lead Hunter - 68,693,853 breached accounts
    2. Indiana covered entities discover that their documents storage and secure destruction vendor dumped records improperly
    3. 100,000+ Indian Nationals IDs Leaked in the Darknet
    4. Mobile Data: How a Quiz App Exposed Account Details for Millions
    5. French Civic Service exposes 1.4 million user records on the web, including volunteers’ personal details
  2. Ransomware
    1. REvil Ransomware Operators Breached Plaza Collection Ltd
    2. REvil ransomware creates eBay-like auction site for stolen data
    3. NetWalker Ransomware Operators Targets Columbia College of Chicago
    4. Ransomware gang says it breached one of NASA's IT contractors
  3. Privacy
    1. Google Faces $5 Billion Lawsuit In US For Tracking 'Private' Internet Use
    2. DEA authorized to conduct surveillance on protestors
    3. Minnesota is now using contact tracing to track protestors, as demonstrations escalate
    4. Thousands of People Are Monitoring Police Scanners During the George Floyd Protests
  4. Vulnerabilities
    1. New cold boot attack affects seven years of LG Android smartphones
  5. Crime
    1. Hackers Plan To Use Stolen Cryptocurrency Exchange Data for SIM Swapping
  6. Misc
    1. Internet Users of All Kinds Should Be Concerned by a New Copyright Office Report
    2. DOD's Third Attempt To Implement IPv6 Isn't Going Well
  7. Malware
    1. Ursnif/Gozi Delivery - Old School Excel Macro 4.0 Utilization Uptick and the OCR Heuristics Bypass

Breaches

Lead Hunter - 68,693,853 breached accounts

In March 2020, a massive trove of personal information referred to as "Lead Hunter" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. The data contained 69 million unique email addresses across 110 million rows of data accompanied by additional personal information including names, phone numbers, genders and physical addresses. At the time of publishing, the breach could not be attributed to those responsible for obtaining and exposing it. The data was provided to HIBP by dehashed.com.

Indiana covered entities discover that their documents storage and secure destruction vendor dumped records improperly

Mishawaka, Ind.-based Saint Joseph Health System [disclosed to patients] (https://www.databreaches.net/indiana-covered-entities-discover-that-their-documents-storage-and-secure-destruction-vendor-dumped-records-improperly/) last week that in April it discovered some of the patient and employee records it paid to have securely stored or destroyed were improperly dumped in an unsecure location in South Bend, Ind. The records were entrusted to Central Files and included protected information about patients, clients and employees of Saint Joseph Health System and six other Indiana health providers. Central Files was paid to destroy certain records and was instructed to securely store the remaining records until they were transferred to another records' storage company.

100,000+ Indian Nationals IDs Leaked in the Darknet

Cyble researchers came across a non-reputed actor who is currently selling over 100,000 Indian National IDs on the darknet.

Mobile Data: How a Quiz App Exposed Account Details for Millions

UpGuard can now report that a cloud storage repository containing personally identifiable information (PII) and device data tied to millions of phone app users, collected by the multi-device advertising app "TVSmiles", has been secured. Among the 261 database tables present, the "core~users~" table consists of over 6.6 million rows. Of the entries containing an email address, 901,000 are unique. The publicly accessible storage bucket contained a 306 GB PostgreSQL database backup with unencrypted PII matched to individual users, profiling insights about users' interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles' business relationships. TVSmiles is a German company with customers and users largely located in Europe where the General Data Protection Regulation was passed in 2016 and implemented in 2018.

French Civic Service exposes 1.4 million user records on the web, including volunteers’ personal details

A 5.0GB database belonging to the French Civic Service exposed nearly 1.4 million records on the web without a password or any authentication required to access it, Comparitech researchers report. The Agence du Service Civique recruits 19--25-year-olds for volunteer work. The database included hundreds of thousands of contract details for volunteers in the program, plus more than 1 million names, email addresses, and passwords of users who signed up through the website. Comparitech's security research team, led by cybersecurity expert Bob Diachenko, discovered the database on May 30 and reported it to the French Civic Service the same day. The organization acted quickly and secured the exposed server a few hours later.

Ransomware

REvil Ransomware Operators Breached Plaza Collection Ltd

From the past few days, the REvil ransomware operators have been publishing various big data leaks such as the data leak of Agromart Group, the Elexon Corporation, and several others. In this instance, they targeted Plaza Collection Ltd and leaked their confidential data online.

REvil ransomware creates eBay-like auction site for stolen data

The operators of the REvil ransomware have launched a new auction site used to sell victim's stolen data to the highest bidder. REvil, otherwise known as Sodinokibi, is a ransomware operation that breaches corporate networks using exposed remote desktop services, spam, exploits, and hacked Managed Service Providers. Once established on a network, they quietly spread laterally through the company while stealing unencrypted data from workstations and exposed servers. When they gain administrative access to a domain controller, they proceed to deploy the ransomware to encrypt all of the computers on the network. Earlier this year, the REvil operators released a data leak site that is used to publish a victim's data if a ransom is not paid. Named the 'Happy Blog,' the ransomware gang uses the site to post samples of the stolen data and then threaten to release the actual files.

NetWalker Ransomware Operators Targets Columbia College of Chicago

Once again, the NetWalker ransomware operators trap a big fish in their net. In this instance, they targeted the Columbia College of Chicago and leaked their confidential data online.

Ransomware gang says it breached one of NASA's IT contractors

The operators of the DopplePaymer ransomware have congratulated SpaceX and NASA for their first human-operated rocket launch and then immediately announced that they infected the network of one of NASA's IT contractors. In a blog post published today, the DopplePaymer ransomware gang said it successfully breached the network of Digital Management Inc. (DMI), a Maryland-based company that provides managed IT and cyber-security services on demand. According to the company's press releases, DMI's customer list includes several Fortune 100 companies and many government agencies, among them NASA.

Privacy

Google Faces $5 Billion Lawsuit In US For Tracking 'Private' Internet Use

Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in "private" mode. The lawsuit seeks at least $5 billion, accusing the Alphabet unit of collecting information about what people view online and where they do their browsing, despite using what Google calls Incognito mode. The complaint said Google surreptitiously collects data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads. This helps the Mountain View, California-based company learn details about users' friends, hobbies, favorite foods, shopping habits, and even the "most intimate and potentially embarrassing things" they search for online, the complaint said.

DEA authorized to conduct surveillance on protestors

The Drug Enforcement Administration has been granted sweeping new authority to "conduct covert surveillance" and collect intelligence on people participating in protests over the police killing of George Floyd, according to a two-page memorandum obtained by BuzzFeed News. Floyd's death "has spawned widespread protests across the nation, which, in some instances, have included violence and looting," the DEA memo says. "Police agencies in certain areas of the country have struggled to maintain and/or restore order." The memo requests the extraordinary powers on a temporary basis, and on Sunday afternoon a senior Justice Department official signed off. Attorney General William Barr issued a statement Saturday following a night of widespread and at times violent protests in which he blamed, without providing evidence, "anarchistic and far left extremists, using Antifa-like tactics," for the unrest. He said the FBI, DEA, US Marshals, and the Bureau of Alcohol, Tobacco, Firearms and Explosives would be "deployed to support local efforts to enforce federal law."

Minnesota is now using contact tracing to track protestors, as demonstrations escalate

As the Minnesota protests have spilled across the country, fueled by protestors angered over the police killing of an unarmed Minneapolis man named George Floyd, the protests have morphed into marches and demonstrations that have turned violent everywhere from New York City to Los Angeles. Curfews are being imposed in major cities around the US at the time of this writing, and at least eight states, as well as the District of Columbia, have requested the National Guard to assist local law enforcement. In some cities like Minneapolis, though, officials are starting to turn to a familiar tool to investigate networks of protestors. The tool is contact-tracing, and it's a familiar tool in that people have been hearing about it frequently in recent weeks as an important component of a comprehensive coronavirus pandemic response. According to Minnesota Public Safety Commissioner John Harringon, officials there have been using what they describe, without going into much detail, as contact-tracing in order to build out a picture of protestor affiliations --- a process that officials in the state say has led them to conclude that much of the protest activity there is being fueled by people from outside coming in.

Thousands of People Are Monitoring Police Scanners During the George Floyd Protests

The number of users of an app which lets people listen in to police radio broadcasts across the country is nearly doubling every day during the protests, according to its developer. As of Monday morning, '5-0 Radio' had skyrocketed above apps such as Facebook, Instagram, and TikTok to the most popular paid app, and the second most popular free app on the Apple App Store, according to Apple's own rankings. Other similar apps have also jumped in popularity. The news gives some indication to the scale of the protests and the attention they are drawing. The protests started last week when a white police officer killed George Floyd, an unarmed black man. One person at the protests told Motherboard that their friends have, in some cases, been listening to the scanners and giving them information about planned police actions, so they can protect themselves.

Vulnerabilities

New cold boot attack affects seven years of LG Android smartphones

South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. [The vulnerability] (https://github.com/shinyquagsire23/CVE-2020-12753-PoC), tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. Separate from the Android OS, the bootloader is a piece of firmware specific to each smartphone vendor. It is the first piece of code that runs when a user starts their device, and it ensures that smartphone firmware and the Android OS itself start in a correct and secure manner.

Crime

Hackers Plan To Use Stolen Cryptocurrency Exchange Data for SIM Swapping

Hackers who obtained personal data on users of Canadian cryptocurrency exchange Coinsquare say they plan to use the information to perform so-called SIM swapping attacks, according to one of the hackers. The news shows hackers' continued interest in trying to leverage security issues with telecom-based forms of authentication. In a SIM swapping attack, a hacker takes control of a target's phone number, which then gives them the ability to request password resets for some websites or a victim's two-factor authentication code. Often, SIM swappers will use these techniques to steal cryptocurrency. The breach also signals the continued risk of insider access, with Coinsquare telling Motherboard a former employee was responsible for stealing the data.

Misc

Internet Users of All Kinds Should Be Concerned by a New Copyright Office Report

Outside the beltway, people all over the United States are taking to the streets to demand fundamental change. In the halls of Congress and the White House, however, many people seem to think the biggest thing that needs to be restructured is the Internet. Last week, the president issued an order taking on one legal foundation for online expression: Section 230. This week, the Senate is focusing on another: Section 512 of the Digital Millennium Copyright Act (DMCA). The stage for this week's hearing was set by a massive report from the Copyright Office that's been five years in the making.

DOD's Third Attempt To Implement IPv6 Isn't Going Well

The US Department of Defense is woefully behind on its plan to upgrade its IT infrastructure to support the newer IPv6 protocol, according to a government report published on Monday. From a report: This current effort is the third time the DOD attempts to upgrade its infrastructure to support IPv6 over in the past 17 years. The first two attempts took place in 2003 and 2010, respectively. The 2003 effort was abandoned with the DOD citing security risks and a lack of personnel trained in IPv6, while the second attempt was also abandoned, similarly on the grounds that IPv6 was not yet secure enough for the DOD's sensitive networks.

Malware

Ursnif/Gozi Delivery - Old School Excel Macro 4.0 Utilization Uptick and the OCR Heuristics Bypass

Morphisec has been tracking an uptick in the delivery of Ursnif/Gozi during the COVID-19 pandemic. The latest delivery methods will many times involve old-school Excel 4.0 macro functionality, which historically is a blind spot for AV detection as it has nothing to do with the VBA macro engine and is integrated as part of the workbook. INQUEST reported the use of similar techniques as part of a Zloader delivery campaign. Interestingly, in the latest campaign, it looks like the malware writers removed the image from the Excel document to avoid OCR heuristic detection following the INQUEST article.